# IAM Server Configuration Example
#
# Copy this file to iam.toml and adjust the settings.
#
# Admin API protection:
#   Set environment variable IAM_ADMIN_TOKEN (or PHOTON_IAM_ADMIN_TOKEN) to
#   require an admin token for all IamAdminService gRPC calls.

[server]
# Listen address
addr = "0.0.0.0:50051"

# TLS configuration (optional)
# [server.tls]
# cert_file = "/etc/iam/certs/server.crt"
# key_file = "/etc/iam/certs/server.key"
# ca_file = "/etc/iam/certs/ca.crt"
# require_client_cert = false

[store]
# Backend type: "flaredb", "postgres", "sqlite", or "memory" (memory is test/dev only)
backend = "flaredb"

# FlareDB backend configuration
flaredb_endpoint = "127.0.0.1:2479"
flaredb_namespace = "iam"

# SQL backend configuration (required when backend is "postgres" or "sqlite")
# database_url = "postgres://iam:secret@127.0.0.1:5432/iam"
# SQLite is supported only in single-node mode
# single_node = true

[cluster]
# ChainFire endpoint for cluster coordination only
# chainfire_endpoint = "http://localhost:2379"

[authn]
# JWT/OIDC configuration (optional)
# [authn.jwt]
# jwks_url = "https://auth.example.com/.well-known/jwks.json"
# issuer = "https://auth.example.com"
# audience = "iam"
# jwks_cache_ttl_seconds = 3600

# Internal token configuration
[authn.internal_token]
# Signing key for internal tokens
# IMPORTANT: Change this to a secure random value in production!
signing_key = "change-this-to-a-secure-random-value-in-production"
issuer = "iam"
default_ttl_seconds = 3600      # 1 hour
max_ttl_seconds = 604800        # 7 days

[logging]
# Log level: "trace", "debug", "info", "warn", "error"
level = "info"
# Log format: "text" or "json"
format = "text"